How to Lock User Accounts After Failed Login Attempts

This guide will show how to lock a system user’s account after a specifiable number of failed login attempts in CentOS, RHEL and Fedora distributions. Here, the focus is to enforce simple server security by locking a user’s account after consecutive number of unsuccessful authentications.

This can be achieved by using the pam_faillock module which helps to temporary lock user accounts in case of multiple failed authentication attempts and keeps a record of this event. Failed login attempts are stored into per-user files in the tally directory which is /var/run/faillock/ by default.

pam_faillock is part of Linux PAM (Pluggable Authentication Modules), a dynamic mechanism for implementing authentication services in applications and various system services which we briefly explained under configuring PAM to audit user login shell activity.

How to Lock User Accounts After Consecutive Failed Authentications

You can configure the above functionality in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the entries below to the auth section.

How to Test SSH User Failed Login Attempts

From the above settings, we configured the system to lock a user’s account after 3 failed authentication attempts.

In this scenario, the user tecmint is trying to switch to user aaronkilik, but after 3 incorrect logins because of a wrong password, indicated by the “Permission denied” message, the user aaronkilik’s account is locked as shown by “authentication failure” message from the fourth attempt.

Test User Failed Login Attempts

The root user is also notified of the failed login attempts on the system, as shown in the screen shot below.

Failed Login Attempts Message

How to View Failed Authentication Attempts

You can see all failed authentication logs using the faillock utility, which is used to display and modify the authentication failure log.

You can view failed login attempts for a particular user like this.

# faillock --user aaronkilik

View User Failed Login Attempts

To view all unsuccessful login attempts, run faillock without any argument like so:

Lastly, to tell the system not to lock a user or user’s accounts after several unsuccessful login attempts, add the entry marked in red color, just above where pam_faillock is first called under the auth section in both files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) as follows.

That’s all! In this article, we showed how to enforce simple server security by locking a user’s account after x number of incorrect logins or failed authentication attempts. Use the comment form below to share your queries or thoughts with us.

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.